Custom Authentication Tokens for HTTP transport in OSB

Similar Messages

• Retry mechanism for HTTP Transport in OSB

  Hi
  I am using OSB 11gR1. I have a business service which is HTTP protocol based.
  The BS is configured with the RetryCount as 0 and Retry Application Errors is enabled.
  I have to store the message in a persistent store or some store in case the endpoint URI is temporarily unreachable.
  Once the URI is reachable, the service should pick the data from the data store and send it across to the HTTP URI.
  Has anyone implemented this or knows how this can be configured?
  Please suggest and help.
  Regards
  Kshama

  Business Service by default does not have any persistence available(well apart from persistence used for throttling which is not useful for this use case).
  You will need to add an explicit persistence layer between the Proxy Service which receives the message from Client and the HTTP Business Service which calls the back end service provider.
  You will need a JMS queue and additional JMS Business Service and a JMS Proxy Service in the flow.
  The flow should now look like following:
  Client-->HTTP PS-->JMS BS-->JMS Queue-->JMS PS-->HTTP BS-->service provider
  You can set retry conditions on the XA enabled JMS queue so that it will keep retrying the messages which failed because destination was unreachable until they are delivered. You will be able to set a retry delay and maximum number of retries etc. Keep in mind that this would be an asynchronous flow.

• How to unconfigure a Custom Authentication Module for Convergence

  After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
  , I decided to try to revert back to the default.
  How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.servicename -v ""
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.callbackhandler -v ""
  sudo /opt/sun/comms/iwc/sbin/iwcadmin -w xxxxx -o auth.custom.loginimpl -v ""
  sudo /opt/SUNWappserver/bin/asadmin stop-appserv
  sudo /opt/SUNWappserver/bin/asadmin start-appserv
  AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter  Thread httpSSLWorkerThread-80-1 at 14:45:25,951 - SSO is disabled
  AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,953 - Subject not found in session, creating one
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,954 - Unabled to load the class due to 
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent  Thread httpSSLWorkerThread-80-1 at 14:45:25,956 - Unable to instantiate callback handler 
  AUTH: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,957 - Failed to Login the user: Unable to instantiate callback handler 
  PROTOCOL: ERROR from com.sun.comms.client.protocol.delegate.LoginCommandDelegate  Thread httpSSLWorkerThread-80-1 at 14:45:25,960 - Protocol Error while login : Unknown Reason

  jessethompson wrote:
  After flailing with the incomplete instructions for [Writing a Custom Authentication Module for Convergence|http://wikis.sun.com/display/CommSuite/Writing+a+Custom+Authentication+Module+for+Convergence]
  , I decided to try to revert back to the default.
  How do you remove the module and go back to the default? I tried to unset the options, but they did not seem to take effect.After enabling the custom login module using the steps in the earlier thread (http://forums.sun.com/thread.jspa?threadID=5318615), I performed the following steps to disable the custom module and re-enable the ldap auth module:
  # Disable custom auth-module
  cd /opt/sun/comms/iwc/sbin
  ./iwcadmin -w <admin password> -o auth.custom.servicename -v ""
  ./iwcadmin -w <admin password> -o auth.custom.loginimpl -v ""
  ./iwcadmin -w <admin password> -o auth.custom.callbackhandler -v ""
  ./iwcadmin -w <admin password> -o auth.misc.CredentialFile -v ""# Re-enable the LDAP auth-module
  cd /opt/sun/comms/iwc/sbin
  ./iwcadmin -w <admin password> -o auth.ldap.callbackhandler  -v com.sun.comms.client.security.auth.AppCallbackHandler
  ./iwcadmin -w <admin password> -o auth.ldap.loginimpl -v com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule# Restarte App Server
  cd /opt/SUNWappserver/bin/
  ./asadmin stop-domain; ./asadmin start-domain# Login to iwc interface as user shjorth with password oldpwd
  # Login successful with oldpwd -- custom auth module successfully disabled, LDAP re-enabled
  Regards,
  Shane.

• NAM 3.2.1 Custom Authentication Class for BASIC not loaded

  Hi!
  Im trying to write a custom authentication class for
  BASIC/PROTECTED_BASIC, so I started with the PasswordClass sample from
  SDK novell-nacm3_2-devel-2012.08.10.tar.gz, stripped out the
  STSAuthenticationClass and changed the type to
  AuthnConstants.PROTECTED_PASSWORD --> and it works!
  public String getType() {
  return AuthnConstants.PROTECTED_PASSWORD;
  Next I wanted to create a custom BASIC auth class by changing the type
  to AuthnConstants.BASIC / AuthnConstants.PROTECTED_BASIC
  public String getType() {
  return AuthnConstants.PROTECTED_BASIC;
  but now IDP complains about the unsupported type.
  <amLogEntry> 2012-12-20T15:11:17Z WARNING NIDS Application:
  AM#300105006: AMDEVICEID#FC77EC2A45509E7B: Failed to load
  authentication class due to unsupported type: ITdBasicTestClass
  </amLogEntry>
  Im running NAM 3.2.1 single box appliance for development/testing.
  There is an old thread here, that looks like the same issue:
  http://tinyurl.com/c6eawj6
  Any hits?
  regards
  Thomas
  PS: What i really want to solve is strip out the Domain from the
  username on basic authentication since most MS apps/clients provide the
  username in format DOMAIN\USER...
  reibenwein
  reibenwein's Profile: https://forums.netiq.com/member.php?userid=1382
  View this thread: https://forums.netiq.com/showthread.php?t=46430

  hmmm, well try writing the value out to stderr and see if you can at least make sure you are getting
  a good read.
  Like a System.out.println(AuthnConstants.PROTECTED_PASSWO RD);
  I ran into some strange stuff where some constants had no values for no apparent reason when they
  should.
  I would also try supplying the actual value instead of the constant and see if it goes through that
  way. ("ProtectedBasic")
  On 1/10/2013 11:14 AM, reibenwein wrote:
  >
  > Hi!
  >
  >
  > I copied com.novell.nam.authentication.PasswordClass to start with my
  > test custom auth class. It includes a method getType() like this:
  >
  > /**
  > * Get the authentication type this class implements
  > *
  > * @return returns the authentication type represented by this
  > class
  > */
  > public String getType() {
  > return AuthnConstants.PROTECTED_PASSWORD;
  > }
  >
  >
  > --> IDP loads my custom auth class, as long as a leave getType()
  > returning AuthnConstants.PROTECTED_PASSWORD! But this is form base
  > authentication. According to the API documentation (see page 17 in
  > namc_enu.pfd within the sdk download), getType should
  > returnAuthnConstants. PROTECTED_BASIC for secure Basic authentication
  > (or AuthnConstants.BASIC for non SSL Basic auth). So i changed getType()
  > like this:
  >
  >
  > /**
  > * Get the authentication type this class implements
  > *
  > * @return returns the authentication type represented by this class
  > */
  > public String getType() {
  > return AuthnConstants.PROTECTED_BASIC;
  > }
  >
  >
  > --> and then IPD comes with the error "Failed to load authentication
  > class due to unsupported type"...
  >
  >
  > regards,
  > Thomas
  >
  >

• URGENT help required : Custom Authentication Plugin for validation of users

  Hi Experts.
  I'm a newbie and am stuck in middle of nowhere.
  I have been asked to develop a custom authentication plug-in which would validate a user using the attributes such as a userid and a shared-userid.
  shared-userid is just a custom id that would be generated on the basis of some logic.
  Currently I'm using OAM 10.1.4.3.0 on WINDOWS server and as everybody, I'm also not able to find any sample files or sample folder structure.
  As per one of the other threads https://forums.oracle.com/forums/thread.jspa?messageID=3838474, sample code and sample folders are removed from this particular version and were present in some previous version.
  So, can anyone please help me out with the following:
  1. How can I proceed to accomplish this task, i.e. to check whether a user-id and a shared-userid both are validated and a user is granted access.
  2. Are all of these files required to create a custom authentication plug-in or can we proceed only with the ".c" file (i.e. make file, authn.c, and a dll file made using the make file and .c file)
  3. Can anybody provide me with a sample file or a sample code written in "C" wherein the plug-in connects to the LDAP and searches for a particular dn for comparison or something. Also a sample make file for windows to convert the .c file to .dll.
  PLEASEEEE help me ASAP.
  Regards
  Edited by: 805912 on Nov 15, 2011 7:18 PM

  Hi,
  Regarding question 2, you also need the header file is supplied in the Access Server installation directory, under ...access\oblix\sdk\authn_api and is called authn_api.h. you need this to build the dll which must then be placed in the Access Server's ...\access\oblix\lib directory.
  Regarding question 3, if you install an earlier version of the Access Server, ie 10.1.4.2 or less, then you will get a \access\oblix\sdk\authentication\samples\authn_api directory that contains a basic sample authentication plugin. However, there is still documented in the 10.1.4.3 Developer Guide another sample plugin, simplapi.c, in the 10.1.4.3 Developer Guide with instructions on how to use it. It does work, but unfortunately requires a couple of edits to get it working after copy&pasting it (no code changes, just fairly obvious case changes eg changing ObanPlugin* to ObAnPlugin*). I used the following commands to get it to compile into a .so file on unix:
  g++44 -c -fPIC -Wno-deprecated -m32 simpleapi.c
  g++44 -shared -nostdlib -lc -m32 simpleapi.o -o simpleapi.so
  but I really would not know if or how these translate into a Windows environment.
  Regards,
  Colin
  Edited by: ColinPurdon on Nov 15, 2011 2:50 PM

• Authentication syntax for HTTP GET method using TCP functions in Labview on linux

  Hi,
  Currently, I am trying to communicate to web server. I have Labview installed on a Linux machine. The HTTP function blocks and other labview functions do not work. Hence, I am building a HTTP code string using TCP functions (port 80) to talk to the web server. I am successfully able to fetch a response from web sites (example www.ni.com) from my vi. However, when I try to communicate to my web server, it does not work. It requires an authentication. I am able to open http://ipaddress in my browser from my machine using username and password. Can someone help with Authentication string requirement for GET method?
  so far the string is:
  GET /index/ HTTP/1.1
  Host: http://xx.xx.xx.xx

  An easy option would be to try http://userassword@server syntax for the URL.
  Else I posted a Twitter fetcher once (won't work anymore since Twitter moved to Oauth authentication) at LAVA. Based on code from @cloew.
  The code is part of this LLB.
  Ton
  Free Code Capture Tool! Version 2.1.3 with comments, web-upload, back-save and snippets!
  Nederlandse LabVIEW user groep www.lvug.nl
  My LabVIEW Ideas
  LabVIEW, programming like it should be!

• Implement Flash Player for HTTP Streaming

  Is there any sample code for this?  I have a Java background but haven't done much ActionScripting.  I want to play back an HTTP Dynamic Stream (f4m) that has been packaged with Flash Access.  Also want to set a custom Authorization Token.  I'm using CS5 for my development environment.  Any help would be much appreciated.
  /OG

  Hi Eric,
  Yes,
  we've been using the OSMF player to play back the streams - I need to
  add a custom authentication token to the license request.  I understand
  that I need to call DRMManager.setAuthenticationToken on
  the flash player.  I did go through several of the OSMF Sample
  tutorials, but is not clear how and where to make this call. Looking for a starting point - is there an OSMF player that I can quickly modify for our POC?
  thanks,
  Lawrence

• Strange problem when using custom authentication schema

  Hello,
  I'm building a custom authentication system for the application. Basically, I followed the blog post from Martin: http://www.talkapex.com/2009/03/custom-authentication-status.html
  However, the authentication seems working fine at the beginning when running the page 101 from Application Builder and log in, but when I log out from the application (redirect back to page 101) and try to log in with the same credentials, it gives error message "Invalid Login Credentials ". Also, when the application is accessed from public (open page 101 directly using another computer), the authentication doesn't work at all.
  Furthermore, I checked the table apex_workspace_access_log and found out that it has "AUTH_SUCCESS" even if using the fake credentials and the login failed (I use "apex_util.set_authentication_result (p_code => 3);" when auth function return false).
  I couldn't find the cause of the problem, then I created the same custom authentication in apex.oracle.com. The problem doesn't appear anymore. To make sure they are same, I have double checked the custom authentication in both the development environment and the apex.oracle.com.
  This is very strange to me and I don't know where to looking for the problem. Could you give me some advice of what may cause this problem. Thanks in advance!

  I found the problem myself. The cause is the VPD, the account table has VPD policy applied, which prevented public access.

• WS-Security: Custom/Proprietary tokens in SOAP Header

  Hi All,
  We are conusming a web service hosted by an external system. They seem to support WS-Security, but they need custom/propriety token for the field <wsse:BinarySecurityToken/> in the SOAP header,
  Is there any possiblity to use standard Web Services Security profile in SOAP receiver adapter and achieve this task.
  Thanks for your time.
  Best Regards,
  Sudharshan N A

  Hi,
  how are you testing? do you use the test page from enterprise manager? If so, change the input to "XML View" and add the SAML Header. They usually look like this
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing">
  <env:Header>
  <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <saml:Assertion MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="SAML-MYBrexylXmDyTN9kS08Ygw22" IssueInstant="2011-06-21T12:43:52Z" Issuer="www.oracle.com">
  <saml:Conditions NotBefore="2011-06-21T12:43:52Z" NotOnOrAfter="2011-06-21T12:48:52Z"/>
  <saml:AuthenticationStatement AuthenticationInstant="2011-06-21T12:43:52Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
  <saml:Subject>
  <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">tester1</saml:NameIdentifier>
  <saml:SubjectConfirmation>
  <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
  </saml:SubjectConfirmation>
  </saml:Subject>
  </saml:AuthenticationStatement>
  </saml:Assertion>
  </wsse:Security>
  </env:Header>
  <env:Body>
  </env:Body>
  </env:Envelope>
  cheers Nicolas

• Proxy authontication popup for Https is not getting displayed

  Hi,
  We have proxy server in java, and it should ask for the authentication, while using old versions of IE (IE6), opera we get proper proxy authentication prompt for Https as well as Http request.
  But with the new version of browser IE8, Firefox 2, ... 3 we are not getting the Proxy authentication prompt for the Https request only (for http its working fine)
  Actually the proxy server ask for authentication for the every first request only, but if the first request is Https then it fails with 407 error, as per the logic whenever we set response.setStatus("407"); response.setMessage("Proxy authentication required"); it should prompt for the proxy authentication and its working fine for old browsers and for Http request but its not working for new browser with Https request
  Could you please provide some information on how to achieve proxy authentications for Https and new versions browsers.
  Following are the code used for it
  /*ResponseProcessor.java*/
       public static Response createResponse(ScriptableConnection connection, String message) {
            Response response = new Response();
            Request request = connection.getRequest();
            response.setRequest(request);
            if (message.equals(SPConstants.TECHNICAL_ISSUES)) {
                 response.setContent(message.getBytes());
            if (message.equals(SPAuthorizationConstants.INVALID_CREDENTIALS)) {
                 //response.setVersion(request.getVersion());
                 response.setHeader("Proxy-Authenticate", "Basic");
                 response.setStatus("407");
                 response.setMessage("Proxy authentication required");
                 if (request.getHeader("Proxy-Authorization") != null) {
                      response.setContent(message.getBytes());
                 return response;
            return response;
  /*ConnectionHandler.java */
  public void run() {
  String authorizationStatus = RequestProcessor.checkUserPreRequiste(request,user,ticket,statusVisitor); //SP CODE
                      if(authorizationStatus.equals(SPAuthorizationConstants.USER_IS_AUHTORIZED)) { //SP CODE
                               try {
                                    response = hc.fetchResponse(request);
                                    if (response.getRequest() != null)
                                         request = response.getRequest();
                                               }catch........
                     } finally {
                 try {
                      if (_clientIn != null)
                           _clientIn.close();
                      if (_clientOut != null)
                           _clientOut.close();
                      if (_sock != null && !_sock.isClosed()) {
                           _sock.close();
                 } catch (IOException ioe) {
                      _logger.warning("Error closing client socket : " + ioe);
  .......Thanks in advance,
  Sachin

  Hi
  Follow the steps
  In your current view where you create your Popupwindow; create a model attribute name "popWin" of type IWDWindow;
  In code;after creating the popup window assign window object to the context element
  IWDWIndow window = WDComponentAPI.getWindowManager().createWindow( WindowInfo, true);
  wdContext.currentContextElement.setpopWin( window);
  At the Popup window view; create a model attribute name popWin of type IWDWindow and map it with the one that created before.
  set the code on btnaction
  IWDWindow popwin = (IWDWindow)wdContext.currentContextElement().getPopWin();
  popwin.destroyInstance();
  This will work
  Regards
    - Vinod
  Edited by: Vinod V on Mar 3, 2008 7:21 PM

• OSB Http Transport Custom Authenticatiion (X509 in Http header)

  Hello!
  I'm trying to solve this case. We have F5 Load balancer that terminates SSL Connections From client to the OSB. When terminating the SSL, the LB adds the clients certificate into headers of the Http request going to OSB.
  OSb proxy service is configured to use custom authentication with token type X509 (only choice in the OSB console).
  What happens when I send the request to OSB, is that I get http code 401 (unauthorized) this error on server log:
  ####<Sep 27, 2011 3:08:05 PM EEST> <Error> <WliSbTransports> <appserver02> <MANSERV02> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1317125285598> <BEA-381327> <Transport-level custom token identity assertion failed
  java.lang.ClassCastException: java.lang.String cannot be cast to [Ljava.security.cert.X509Certificate;
  The HTTP header sent to OSB is in the messages below.
  It has also been wihotu the BEGIN CERTIFICATE and END CERTIFICATE lines with same results.
  Can somebody help me in:
  a) Should the certificate be sent in what form from LB to OSB.
  b) How should the OSB/WLS be configured for this to work?
  OSB version is 10.3.1.
  Request to the server is:
  POST /prjTemplateService/ProxyServices/psvcHelloWolrdWSSSLInterface HTTP/1.1
  Accept-Encoding: gzip,deflate
  Content-Type: text/xml;charset=UTF-8
  SOAPAction: "urn:#HelloWorldOperation"
  User-Agent: Jakarta Commons-HttpClient/3.1
  Host: <ip_here>
  Content-Length: 459
  SSLClientCertStatus: ok
  SSLClientCertb64: -----BEGIN CERTIFICATE-----
  MIICHDCCAYUCBE2sABcwDQYJKoZIhvcNAQEEBQAwVTELMAkGA1UEBhMCRkkxCzAJ
  BgNVBAgTAkZJMQ4wDAYDVQQHEwVFc3BvbzEMMAoGA1UEChMDRVpaMQswCQYDVQQL
  EwJUQzEOMAwGA1UEAxMFSnVzc2kwHhcNMTEwNDE4MDkxMDQ3WhcNMTEwNzI3MDkx
  MDQ3WjBVMQswCQYDVQQGEwJGSTELMAkGA1UECBMCRkkxDjAMBgNVBAcTBUVzcG9v
  MQwwCgYDVQQKEwNFWloxCzAJBgNVBAsTAlRDMQ4wDAYDVQQDEwVKdXNzaTCBnzAN
  BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvEPjEn3tvG3YuXlsLZnE7ZOKUJIF0Foy
  c1hp+k7dyGUoHu3Phva7eVOO1cmHaGkFHkg+EnnK3+/Y58EMQAEwPOfQTj0/vSSk
  cEx2X/2p2W7ACldJlYMxx2ZdFa1qaKTXtoieLy23/kJI+ZTfIoB+nmZiPRE9Hq8p
  LTPlcMWVFnkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQC3EZMQieOy4PFh+95R6W7/
  3xaaRm/BzmEU/Wf9JweEwrnttdSmRKsxx9vSkADnD0J7jGO+koym5CWvJHbox4Sk
  QMRPFaTOBRD4hzZeJMidds1LSzUm/QE9PXzjS/HLSjBBs5DmZfdR+uXPSFqTROkd
  87R5veuPX5KeKQHs8iesTw==
  -----END CERTIFICATE-----
  SSLClientCertSN: 4d:ac:00:17
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:Hello:client">
  <soapenv:Body>
  <urn:HelloWorldRequest>
  <urn:FirstName>Jolly</urn:FirstName>
  <urn:Surname>Roger</urn:Surname>
  </urn:HelloWorldRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  Response from OSB:
  HTTP/1.1 401 Unauthorized
  Connection: close
  Date: Fri, 30 Sep 2011 08:32:33 GMT
  Content-Length: 1518
  Content-Type: text/html
  X-Powered-By: Servlet/2.5 JSP/2.1
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN">
  <HTML>
  <HEAD>
  <TITLE>Error 401--Unauthorized</TITLE>
  <META NAME="GENERATOR" CONTENT="WebLogic Server">
  </HEAD>
  <BODY bgcolor="white">
  <FONT FACE=Helvetica><BR CLEAR=all>
  <TABLE border=0 cellspacing=5><TR><TD><BR CLEAR=all>
  <FONT FACE="Helvetica" COLOR="black" SIZE="3"><H2>Error 401--Unauthorized</H2>
  </FONT></TD></TR>
  </TABLE>
  <TABLE border=0 width=100% cellpadding=10><TR><TD VALIGN=top WIDTH=100% BGCOLOR=white><FONT FACE="Courier New"><FONT FACE="Helvetica" SIZE="3"><H3>From RFC 2068 <i>Hypertext Transfer Protocol -- HTTP/1.1</i>:</H3>
  </FONT><FONT FACE="Helvetica" SIZE="3"><H4>10.4.2 401 Unauthorized</H4>
  </FONT><P><FONT FACE="Courier New">The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.</FONT></P>
  </FONT></TD></TR>
  </TABLE>
  </BODY>
  </HTML>

  >
  by using Client Cert authentication I have to set HTTPS required to true.
  >
  Yes.
  >
  When I try to invoke this service with http request, it redirects to https service.
  This actually just trashes the entire idea of terminating SSL in the load balancer.
  >
  Not necessarily. Although direct HTTP request to WebLogic is redirected to HTTPS enabled port, you can still use this settings with WebLogic plugin. I'm not aware of your deployment, but I use Apache plugin for WebLogic, terminate SSL on Apache and I'm still able to send requests authenticated by certificate from client through HTTPS.
  I don't know about F5, but I guess there should be similar feature as well.
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/cluster/load_balancing.html

• Custom WS Policy with Service account in OSB while invoking a https service

  Hi,
  I need your help on one of my issue in invoking an https service from OSB. I read through various posting and tried the below steps in this forum
  -Added the certificate for the https site to soa domain
  -Registered the https webservice as a Business service
  -Registerd a proxy service on top of this Business service
  -In the service call out on Proxy service I did a replace operation on the entire soap header with the below string
  <soapenv:Header xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
       <wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>sysuser@yahoo</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ABIHAIKLPLKLPMLERLER</wsse:Password>
       </wsse:UsernameToken>
  </wsse:Security>
  </soapenv:Header>
  -After doing all the above steps my call out worked from the test console, If you see closely the userid(sysuser@yahoo) and password(ABIHAIKLPLKLPMLERLER) is hard coded here.
  I need a way to mask the credentials and have the user pass them when they invoke the proxy service. I read through some posting and it was listed that we can create a custom policy and attach that custom policy to the Business service. But my problem here is the userid has an extra char @, so I wasn't able to create the user account with those credentials in OSB, but I was able to create the userid and password using a service account. Iam not sure how I can use this service account along with the custom policy.
  Can you please provide me a suitable approach, which will solve my issue. I appreciate your time and help
  Thanks
  Jagan.

  Hi,
  Below are the steps followed
  - OSB Proxy service has 'oracle/wss_username_token_service_policy' attached to it.
  - Iam invoking this from BPEL. BPEL process has 'oracle/wss_username_token_client_policy' attached.
  - I can invoke the osb proxy from bpel by passing credentials - No Issues.
  Now I need to put some authorization restriction to the proxy service, so only specific users can access that.
  -I used Role=Admin as a policy condition restriction under security in Proxy service.
  -Then I went to proxy test console and I added the 'oracle/wss_username_token_client_policy' credentials and weblogic/xxxxx at Transport section and I was able to invoke the process. Here weblogic has a Admin Role.
  -I cannot invoke the same proxy service from BPEL in Jdeveloper now.
  All Iam trying to do is to protect my proxy by authrorization policy.
  Thanks
  Jagan.

• New server and/or CA certificate for connection from custom authentication

  We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
  I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
  My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
  Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
  Relevant things I've tried so far:
  Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
  Import the IPS CA into the web server cert8 style db via the web admin server.
  The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
  Part of the stack:
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
  The relevent bit of code from the SecureURL.retrieve looks as follows:
  URL u = new URL(url);
  if (!u.getProtocol().equals("https"))
  throw new IOException("only 'https' URLs are valid for this method");
  URLConnection uc = u.openConnection();
  uc.setRequestProperty("Connection", "close");
  r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
  String line;
  StringBuffer buf = new StringBuffer();
  while ((line = r.readLine()) != null)
  buf.append(line + "\n");
  return buf.toString();
  } finally { ...
  The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
  Thank you very much for any insights and help,
  Ethan

  I thought since this has had a fair number of views I would give an update.
  I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
  certutil: certificate is valid
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  certutil: certificate is invalid: Certificate type not approved for application.
  root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
  root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  FSU Wildcard Certificate : Certificate type not approved for application.
  So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
  BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
  This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
  After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.

• Define HTTP Session Attribute in a Custom Authenticator

  Hello everyone I developed sucessefully a Custom Authenticator for WLS10 that interacts with a web service.
  But now I need to provide an object to the web applications with the some user information.
  I was wondering defining the object in the HTTP Session but I dont know how to do it via de LoginModule of the custom authenticator.
  Can anyone provide me some tips?
  thanks in advance.

  What kind of user information do you need to pass on to the webapplication ? username can be retrieved by request.getRemoteUser() (after successful login).
  May be you need to clarify little bit more on what you want to achieve.
  -Utpal

• OSB proxy for HTTP GET servlet

  Hello,
  I need to create a proxy in OSB that will accept HTTP/GET requests (with ?param1=value1&param2=value2.... parameters).
  My goal is simply to forward this request to another servlet in J2EE instance that will actually serve the request and send back to OSB the text/xml response.
  Can you please point me to the correct proxy and business service configuration for this?
  Our SOA version is 10.3.6 and we have OSB and J2EE servers in our domain.
  Thanks
  Edited by: 995036 on May 31, 2013 4:19 AM
  Edited by: 995036 on May 31, 2013 4:20 AM

  Hello again,
  I found the solution so I will share it with you in case someones needs it the future.
  I created a business service with Service Type "Messaging service", request message type "none", response message type "text" and Http transport "GET".
  I created a proxy service with Service Type "Messaging service", request message type "text", response message type "text". I created a routing node my flow directed to the business service mentioned above. In the routing pipeline request i put the following actions:
  1) Assign:
  Expression $inbound/ctx:transport/ctx:request/http:query-string/text()
  variable queryString
  to assign the inbound query string in a variable
  2)Insert
  expr: fn-bea:inlinedXML('<http:query-string xmlns:http="http://www.bea.com/wli/sb/transports/http"></http:query-string>')
  location: as first child
  Xpath: ./ctx:transport/ctx:request
  in variable: outbound
  3)insert
  expr: $queryString (created in step 1)
  location: as first child
  Xpath: ./ctx:transport/ctx:request/http:query-string
  in variable: outbound
  Now the query string should be redirected properly to your business service/ GET servlet.
  George